create-crush
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill is designed to ingest and process highly sensitive personal data, including private chat histories from WeChat and QQ, and location data (GPS) extracted from photo metadata. While the skill processes data locally, the collection of this data represents a significant privacy and exposure risk.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its ingestion of external data.
- Ingestion points: The skill reads and parses chat logs (txt, json, html), social media content, and text files via scripts in the
tools/directory. - Boundary markers: The generated
SKILL.mduses markdown headers to separate sections but lacks explicit instructions to the agent to ignore commands embedded in the distilled memory data. - Capability inventory: The skill uses the
Bashtool to execute local scripts and theWrite/Edittools to manage files and generate new skills. - Sanitization: The parsing scripts do not sanitize the extracted text to prevent it from being interpreted as instructions by the agent during the distillation or interaction phases.
- [COMMAND_EXECUTION]: The skill executes local Python scripts using the
Bashtool to parse data, analyze photos, and manage file versions. - [COMMAND_EXECUTION]: The skill dynamically generates and writes new
SKILL.mdfiles and directory structures at runtime based on the analysis of user-provided data and templates.
Audit Metadata